The European Union (EU) plays a coordinating role on cybersecurity and primarily aims to build a cyber-resilient regulatory framework. Its cybersecurity policy is delineated by the foundational Treaties and has been shaped by two concepts: the internal market rationale and resilience. The internal market rationale entails that the EU is legitimized to formulate a common policy and promote harmonized standards on cyberissues because the regulation and protection of the internal market require it to do so. Resilience is the core concept in the EU’s cybersecurity strategy and represents the capacity to resist and regenerate. The EU aims to achieve deterrence by resilience. Following the strong path dependency of the internal market rationale, cybersecurity policy in all domains of EU competence is eventually accessory or complementary to the resilience of the internal market. However, cyber-security as a cross-cutting policy concern has also had a significant spill-over effect into domains other than the internal market, namely the Area of Freedom, Security and Justice, the Common Foreign and Security Policy, and the Common Security and Defence Policy.